Edwards Wildman Client Advisory: California Passes Three Privacy and Data Security Laws that Affect Many Companies


    California recently passed three significant new privacy laws, increasing many companies’ privacy and data protection obligations.

    First, California passed the first law in the United States that requires web site and online services to make certain disclosures regarding online tracking and targeted advertising. This law will likely have widespread effect, as many websites collect information from California residents.

    Second, also one of the first laws of its kind, California’s new “Social Eraser” law requires websites directed at minors to permit registered users who are minors to remove, or request removal of, content posted by the user.

    Finally, a new amendment to California’s breach notification statute extends notification requirements to the breach of California residents’ online account credentials, with distinctive obligations regarding method and content of such notices. Other states may soon follow suit, as they did after California enacted the first US breach notification statute in 2003 – in the past ten years, 45 other states enacted similar statutes modeled on California’s.

    Online Tracking Disclosures

    California has passed the first law in the United States that requires web site and online services to make certain disclosures regarding online tracking and targeted advertising.

    The law amends the California Online Privacy Protection Act (“CalOPPA”). Prior to the amendment, CalOPPA required a website and online service operator to disclose in its privacy policy the following information: (1) categories of personal information gathered; (2) parties with whom such information is shared; (3) if the operator maintains a process for consumers to review and change such information; (4) a description of the process by which the operator notifies users of changes to its privacy policy; and (5) the effective date of the policy.

    After the amendment, in addition to the foregoing, CalOPPA will also require the operator to: (1) disclose how the operator responds to “Do Not Track” signals or other mechanisms giving consumers the ability to exercise choice over the collection of personal information over time and across third-party websites or online services, if the operator engages in the collection of such information; and (2) disclose whether other parties may collect such information over time and across different Web sites when a consumer uses the operator’s site or service.

    The new law provides that the operator may comply with the first new requirement above by “providing a clear and conspicuous hyperlink” in its privacy policy “to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

    This law will likely have widespread effect, as many websites collect information from California residents, and companies, regardless of where they are located, should begin to take steps to ensure compliance.

    Please see our previous client advisory for more information and discussion regarding the potential impact and implications of this new law.

    Social Eraser and Advertising Restrictions to Minors

    Also, as previously discussed in a Digilaw post, California passed a new law with respect to Privacy Rights for California Minors in the Digital World.

    The law will amend California Business and Professions Code by adding Sections 22580 -22582 to it. The complete text of the law can be found here.

    The law would prohibit websites from advertising certain items to minors if the “marketing or advertising is specifically directed to that minor based on information specific to that minor.” Among the prohibited items are alcoholic beverages, firearms, ammunition, spray paint, tobacco and cigarettes, fireworks, tattoos, drug paraphernalia, and obscene material.

    An operator can comply with such restrictions by taking reasonable actions in good faith to avoid such marketing and advertising.

    In addition to the foregoing advertising restrictions, the new law also implements what has been described as a “Social Eraser.”

    This provision requires operators of websites directed to minors or with actual knowledge that minors are using the website (1) to permit registered users who are minors to remove, or request removal of, content posted by the user (but not third parties); (2) provide notice that the information may be removed; (3) provide clear instructions as to how to remove; and (4) provide notice that such removal mechanisms do not ensure complete or comprehensive removal.

    The operator however does not have to erase or remove content if: (1) federal or state law requires its retention; (2) it was posted by a third party; (3) it is anonymous data; (4) the minor does not follow the instructions provided by the website regarding how to remove or request removal; or (5) the minor received compensation for the content.

    Lastly, the operator is deemed to be in compliance if (1) it renders the information no longer visible to third parties (even if still on the server); or (2) if even after making invisible, it remains visible because a third party has copied or reposted the content.

    While it is possible that this law may face some legal challenges before it goes into effect on January 1, 2015, companies may want to begin to focus on how to implement some of the requirements of the law.

    Expansion of Breach Notification Obligations to Online Account Credentials

    California has expanded the definition of “personal information” in its breach notification statutes applicable to businesses (Cal. Civ. Code § 1798.82) and government agencies (Cal. Civ. Code § 1798.29) to include “user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Currently, California’s breach notification statutes only apply to breach of an individual’s name in combination with his or her Social Security number, driver’s license number or state issued identification card number, financial account number, medical information or health insurance information.

    The amended statutes provide that, where no personal information other than online account credentials is breached, the breached entity may comply with the individual notification requirements by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account relating to the credentials, as well as any other online accounts for which the affected individual uses the same credentials or security question and answer.

    Further, under the amended statutes, where breached account credentials relate to an email account furnished by the breached entity, notification of the breach must not be sent to that email account, but rather via another permissible method of notice pursuant to the statute.


    Going forward, companies or agencies experiencing a breach affecting online account credentials will need to consider applicability of California’s breach notification statute.

    As California’s Attorney General has previously indicated that she believes that CalOPPA applies to operators in all jurisdictions that have Calfornia users, companies in all jurisdictions should take note of both the Online Tracking Disclosures and the Social Eraser/Advertising Restrictions to Minors as they may become the de facto standard for all websites and online services.

    Explore Additional Topics


    Please understand that your communications with Locke Lord LLP through this website do not constitute or create an attorney-client relationship with Locke Lord LLP. Any information you send to Locke Lord LLP through this website is on a non-confidential and non-privileged basis. Therefore, do not send or include any information in your email that you consider to be confidential or privileged.